Solid As A Rock – Under Siege

I wonder what you all think of my entry to the Rag Tag Daily Challenge, the word is ROCK.

I’m going to post some pictures, but I just want to tell you about what happened on Friday for me. And this is a warning to everyone who is reading, I mean everyone.

Don’t ever be complacent about your website security. I have created several websites the last few weeks and they are all wrapped up strong and secure. On my travels I have discovered several sites that have been hacked, whilst this is not pleasant it has given me some in-site on how I should be securing my own sites and my clients sites. I am currently in the business of promoting businesses and organisations amongst other things. As a result I have been involved in web site building and recently hosting, with a special interest in website security.

On Friday morning I did my usual round of checking all of my sites, nothing unusual to report expect for one site in particular. The site in question already had some tough security on it, which is probably what saved it to that point. I noticed that during the night there had been repeated failed sign ins on the admin page of that site. I decided to watch closely and ran a check on it to make sure no one had got in. As the morning wore on the log in attempts were coming in thick and fast. I changed all the passwords and still the activity pages were pinging like crazy. Bots had latched into my site and were trying multiple user names and passwords, the user names were popping up on my screen. They were trying names like Admin, Admin2, SignIn, thankfully the user name on that site is nothing generic so they weren’t going to guess it fast. They tracked through the site and were even trying pet names from the site. As time went on I contacted the security guys behind my hosting service and they were doing the things at their end too, they escalated the issue to the highest level. All the while the BOT was trying and trying and trying to get in. Every attempt ended in failure.

In the end I changed the URL of my sign in screen and Instantly the BOT was gone! Just like that, as fast as it all had started the attack’s had ceased.

The message behind this story …. please please don’t use ‘admin’ or ‘admin2’ or even your name as a sign in name. If you wish, I can privately show you the log of attempted sign ins the bot used. DO NOT use your pet’s name or the name of your child, or any place you have visited or whatever might fall into this category. I can tell you that the BOT or human operating the bot had trawled my site and was using my pets names to try get in. You would be amazed at how many people use their dog’s name as a password. Change your sign in screen URL (most are yoursite.com/admin, or yoursite.com/login, the bots know this). If you don’t know how to change this screen then ask me, there’s a contact form on my site. Create a captcha, two stage, log in screen for your site too. Don’t make it easy for yourself to be hacked.

The sedimentary rock with the heart is really cool – it’s surprising how often that shape turns up in nature. So you’re designing websites? Brilliant. 🙂

Any site can be hacked – the Aust Government email server was illegally accessed last week! Good passwords are key as you said. But anyone who is determined and has specialist knowledge or tools will get in if they are serious.

Speaking of security… you might want to know that Google’s Chrome browser is telling me your site is ‘not secure’. and has this to say:
To see whether a website is safe to visit, you can check for security info about the site. Chrome will alert you if you can’t visit the site safely or privately.

In Chrome, open a page.
To check a site’s security, to the left of the web address, look at the security status:
1. Secure
2. Info or Not secure
3. Not secure or Dangerous
To see the site’s details and permissions, select the icon. You’ll see a summary of how private Chrome thinks the connection is.

Your site’s address has the 3. line showing in icon form!

I think it has to do with the site’s security certificate not being considered sufficient or up to date? ( In fact i have just compared with my wordpress site and your’s does not seem to have a certificate at all as far as Google is concerned?)

Hi Bob, I do have a certificate on my site which is https://LifeAmazing.net. I wonder what address you are coming in on as I have a couple of domains pointed too. I moved my main site in the past few days but my old .com name is still at the old host I will most likely delete that. I’d be interested to know what site address you are seeing, it could simply be down to which is bookmarked or being linked (I hope).